O2 customer data leak: Industry reaction

Following today's news that customer data from O2 has been found for sale on the Dark Web, various industry professionals have offered their reaction and analysis.

Hans Zandbelt, senior technical architect, Ping Identity:

"Another high-profile data breach such as this reminds us that our identities are increasingly becoming the target for many sophisticated hackers, today. Using the same password for multiple applications and websites, is simply no longer fit for purpose.

"High-profile brands and businesses must implement and invest in two-factor and multi-factor authentication to safeguard data and maintain customer loyalty. Not only does two-factor authentication allow for a more secure service in our digital era, but such technology is crucially tied to the identity of the customer- this is imperative in alleviating the requirement for customers to remember and type in complex passwords over and over again."

Kevin Cunningham, president and founder of SailPoint:

“You might be thinking – why are we still talking about passwords after all these years? Well, the truth is, password management is still very much a critical element to an organisations security and risk management programs and one that many organisations are still struggling to get right.

“In fact, many of the major security breaches that have occurred over the last couple of years – ones the have even impacted the most basic consumer – have all been related to passwords. The most obvious and simple measures are still being overlooked, or often, business users are simply unaware of the potential dangers, which will only get worse as we continue to adopt applications – both cloud and web applications – across the organisation at the rate we have been over the last couple of years, especially without any control or oversight from IT.”

James Romer, Chief Security Architect Europe, SecureAuth:

“The O2 data leak must be a stark wake up call for businesses who continue to rely on traditional username and password authentication alone. We all know that using the same password/username credentials across multiple sites is bad idea, yet it still happens far too often. Users have difficulty remembering different passwords for the multitude of needs of our online lives, so they default to using the same password over and over and it’s generally something simple. How many times has 1234 topped the most common password list?

“However, bad actors are taking advantage of this laissez faire attitude, trying stolen credentials not just on one site but a number, even employing botnet which automate the process. Where the same credential combinations are repeatedly being used across a number of accounts, it’s the equivalent of a skeleton key to your online life.

“Organisations must move away from the current reliance on a single point of authentication to multifactor, or even better, continuous authentication. Not only does this render stolen credentials completely worthless across the breached site, it also means they cannot be used to compromise users more broadly.”

Richard Parris, CEO at Intercede:

"The customers affected by breaches of this nature are those who recycle their passwords across multiple identities but it’s time that service providers stopped blaming their customers for what is grossly inadequate security. Simple password-based authentication just doesn’t work – none of us can possibly remember enough complex passwords to make the approach viable.

“It’s imperative that organisations now reject simple password authentication and adopt secure alternatives before consumers lose complete faith in the online services provided to them. In the ‘age of the hack,’ the future of online security relies on a much more proactive stance; embedding measures into the very fabric of technology we use in our everyday lives, from the silicon chips used in smartphones, to the apps and services these sites offer. If not, will large-scale data breaches ever be a thing of the past?”

Luke Brown, VP and GM EMEA, India and LatAm at Digital Guardian:

“This hack highlights the fact that even the biggest brands, with the most advanced security, can be breached. The simple truth is that O2 has little control over its customers’ password reuse habits and even less control over the security practices of other organisations. These two factors will always be the Achilles heel of security-conscious businesses.